The Attack

On August 10, Ahmed Mansoor, a human rights activist from the United Arab Emirates, received a strange text message. The message said, “New secrets about torture of Emiratis in state prisons.” The text contained an unknown link.

In the past, government hackers already targeted Mansoor using software from FinFisher and Hacking Team. Out of suspicion, he didn’t click the link and instead forwarded the message. He sent the message to Bill Marczak, a researcher at Citizen Lab. Using a test iPhone, the researchers partnering with Lookout found that the link executed a chain of zero-day exploits that Citizen Lab calls Trident.

The attack allows for a hacking group to jailbreak a person’s iPhone remotely. It then secretly steals and intercepts all data and communications going in and out. Mike Murray, vice president of research at Lookout, said, “It basically steals all the information on your phone, it intercepts every call, it intercepts every text message, it steals all the emails, the contacts, the FaceTime calls. It also basically backdoors every communications mechanism you have on the phone…”

NSO Group

So who is responsible for this attack? Citizen Lab recognized the link belonging to an Israeli surveillance vendor called NSO Group. An American venture capital firm called Francisco Partners Management invested in NSO Group in 2014 for $120 million.

Founded in 2010, NSO made a reputation for selling malware to governments. NSO boasts that its products are stealthy “like a ghost.” They don’t have a website and don’t provide interviews or comments to the press. Only a small amount of information on them leaked out.

“We’re a complete ghost,” NSO co-founder Omri Lavie told Defense News, a military trade publication, last summer. “We’re totally transparent to the target, and we leave no traces.”

John Scott-Railton of Citizen Lab noted how authoritarian governments often target dissidents and activists at any cost: “This indicates the incredible power of the voices of journalists and activists who attract this kind of extremely expensive malware.”

Apple takes security and privacy seriously, and as a result, iOS exploits like this are rare. The tools and technology needed to find and leverage iOS zero-days can be worth as much as one million. After all of this research, Citizen Lab initiated a disclosure process by notifying Apple. Apple quickly released an update to iOS, version 9.3.5.

Links To Other Groups

In May, Citizen Lab discovered a new hacking group called Stealth Falcon. They couldn’t confirm, but they suspected that the group had a connection to the UAE government. As part of its research, Citizen Lab mapped parts of the group’s infrastructure, such as servers and domains. The researchers couldn’t find malware samples until Mansoor’s text.

After testing, Citizen Lab followed an online trail of breadcrumbs and found a server and IP associated with the spyware. They had already found that this server and address linked to Stealth Falcon. But then they found that an NSO employee’s registered server pointed to the same IP address.

Inside the malware was a code string – “PegasusProtocol”. Pegasus is the codename that NSO uses for their spyware. Citizen Lab found more domains associated with NSO and discovered that some of them appeared to impersonate humanitarian organizations like the Red Cross.

A purported screenshot of NSO Group’s Pegasus Working Station software, which visualizes location data collected from infected devices (as of March 2012).

NSO Group Statement

A statement by NSO Group spokesperson Zamir Dahbash said the company’s mission “is to help make the world a safer place by providing authorized governments with technology that helps them combat terror and crime. The company sells only to authorized governmental agencies, and fully complies with strict export control laws and regulations…”

CEO of cybersecurity firm Trail Of Bits Dan Guido said, “Apple has raised the cost of exploiting their devices higher than any other vendor out there. But this highlights the need for better compromise detection for iOS…iOS is still the single most secure consumer device available.”

This isn’t the end, though. Despite finding and publicizing this and other attacks, Citizen Lab continues to find new attacks. The attacks often come from the same governments, and even against the same targets.

What You Can Do

For most readers, it’s unlikely that they are the target of authoritarian governments. However, that’s no excuse not to update. ALL iPhone users should immediately update to iOS 9.3.5.